Method for monitoring a network and network including a monitoring functionality

Abstract

A method for monitoring a network, wherein the network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and / or other mediator nodes, and at least one root entity that receives network measurement data and / or aggregated network measurement data from the mediator nodes, is characterized in that the aggregation of network measurement data is performed by condensing network measurement data into a summarized probabilistic data structure. Furthermore, a network including a monitoring functionality is disclosed.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS[0001]This application is a U.S. National Stage of PCT / EP2010 / 005344 filed Aug. 31, 2010 and claiming priority to EP 0901192.3 filed Sep. 1, 2009.BACKGROUND OF THE INVENTION[0002]The present invention relates to a method for monitoring a network, wherein said network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that collect network measurement data, a plurality of mediator nodes each performing at least the task of aggregating network measurement data received from different monitoring nodes and / or other mediator nodes, and at least one root entity that receives network measurement data and / or aggregated network measurement data from said mediator nodes.[0003]Furthermore, the present invention relates to a network including a monitoring functionality, wherein said network has a connected graph topology, in particular a tree structure, including a plurality of monitoring nodes that co...

AI Technical Summary

Benefits of technology

The present invention allows for a multi-domain exchange for pattern detection while preserving the anonymity of users being monitored. It also allows for the creation of a scalable framework for aggregation of measurement data while still supporting the possibility of retrieving more accurate after-the-fact logs. Compared to previous solutions, the present invention is more flexible in accommodating a huge amount of data while still preserving high granularity. The backtracking capability checks complete data records in case a pattern is detected. The data structures used should have a low memory footprint and query time, should avoid the occurrence of false negatives, and should be able to detect event patterns that involve variations in measurement data. The invention also allows for the triggering of a backtracking process and the checking of cached copies of the summarized data structure against the backtracking request.

Problems solved by technology

Unfortunately, monitoring traffic in real-time and in a distributed way presents a range of difficult issues.

The first of these is scalability: the volume of traffic to be monitored is rapidly growing, with reports stating that the annual global IP traffic volume will exceed half a zettabyte (5×1020 bytes) by 2012 and will nearly double every two years (see for reference “Approaching the zettabyte era”; this growth puts serious stress on any monitoring infrastructure that tries to centralize the collection of data.

Another issue is privacy, since any monitoring architecture should ensure that it can accomplish its intended purpose without infringing on end-users' privacy.

Further, several applications (e.g., law enforcement, security incident reporting, etc) have the need to backtrack to the originating monitoring probe in order to retrieve more detailed information, a requirement that could not be met by a simple scheme that exports only summarized information to achieve scalability and privacy-preservation.

While some solutions in the area exist, none of them are able to tackle all of these issues at once.

Unfortunately, this model does not scale with the growing amount of monitored data.

However, such solutions so far do not tackle the issue of inter-connecting different administrative domains (i.e., they are all single-administrative domain solutions).

Unfortunately, in order to detect certain kinds of anomalies (botnet attacks are a good example), correlation of monitoring data collected in different administrative domains is needed.

Solutions based on distributed aggregation trees (DATs) ensure scalability to the system, but, so far, they have been usually limited to monitoring of only a few aggregated performance parameters (for instance, see for reference Yalagandula, P. and Dahlin, M.

Further, they lack the flexibility needed to monitor the network behavior at a higher granularity.

In any case, they do not allow attributing anomalous behavior to single users and they do not take privacy into consideration.

Further, they do not offer support for after-the-fact auditing of the relevant logs.

Images